[CLA-2004:834] Conectiva Security Announcement - openssl

From: Conectiva Updates (secure_at_conectiva.com.br)
Date: 03/31/04

  • Next message: Conectiva Updates: "[CLA-2004:835] Conectiva Security Announcement - ethereal"
    Date: Wed, 31 Mar 2004 16:50:45 -0300
    To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --------------------------------------------------------------------------
    CONECTIVA LINUX SECURITY ANNOUNCEMENT
    - --------------------------------------------------------------------------

    PACKAGE : openssl
    SUMMARY : Remote denial of service vulnerabilities
    DATE : 2004-03-31 16:49:00
    ID : CLA-2004:834
    RELEVANT
    RELEASES : 8, 9

    - -------------------------------------------------------------------------

    DESCRIPTION
     OpenSSL[1] implements the Secure Sockets Layer (SSL v2/v3) and
     Transport Layer Security (TLS v1) protocols as well as full-strength
     general purpose cryptography functions. It's used (as a library) by
     several projects, like Apache, OpenSSH, Bind, OpenLDAP and many
     others clients and servers programs.
     
     This update fixes three denial of service vulnerabilities that affect
     OpenSSL versions distributed with Conectiva Linux:
     
     CAN-2004-0079: Null-pointer assignment during SSL handshake[3]. A
     remote attacker can exploit this vulnerability by performing a
     specially crafted SSL handshake that will crash the application. This
     vulnerability was discovered by the OpenSSL team using the
     Codenomicon TLS Test Tool and affects OpenSSL versions distributed
     with Conectiva Linux 8 (0.9.6c) and 9 (0.9.7a).
     
     CAN-2004-0081: Infinite loop when handling unknown TLS message
     types[4]. A remote attacker can exploit this vulnerability by sending
     specially crafted TLS messages, causing the application to enter an
     infinite loop. Conectiva Linux 9 (OpenSSL-0.9.7a) is not vulnerable
     to this issue.
     
     CAN-2004-0112: Out-of-bounds read with Kerberos ciphersuites[5].
     Stephen Henson discovered a vulnerability in the SSL/TLS handshaking
     code when using Kerberos ciphersuites. A remote attacker can exploit
     it to crash an application which uses Kerberos ciphersuites. The
     OpenSSL version distributed with Conectiva Linux 8 (OpenSSL-0.9.6c)
     is not vulnerable to this issue and there are no known applications
     using Kerberos ciphersuites in Conectiva Linux 9.

    SOLUTION
     All openssl users should upgrade.
     
     Please notice that in order to complete the upgrade process, you must
     restart all running aplications that are linked to openssl libraries
     after the new packages are installed. You can see a list of such
     applications using the lsof utility, as seen below:
     
     # lsof | egrep '(libcrypto|libssl)'
     
     Services (like apache and openssh daemons) can be restarted using the
     "service" command. For example:
     
     # service httpd restart
     # service sshd restart
     
     
     REFERENCES
     1.http://www.openssl.org/
     2.http://www.openssl.org/news/secadv_20040317.txt
     3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0079
     4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0081
     5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0112

    UPDATED PACKAGES
    ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-0.9.6c-2U80_8cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-devel-0.9.6c-2U80_8cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-devel-static-0.9.6c-2U80_8cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-doc-0.9.6c-2U80_8cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-progs-0.9.6c-2U80_8cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssl-0.9.6c-2U80_8cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl0.9.7-0.9.7a-28910U90_2cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-devel-0.9.7a-28910U90_2cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-devel-static-0.9.7a-28910U90_2cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-doc-0.9.7a-28910U90_2cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-progs-0.9.7a-28910U90_2cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/SRPMS/openssl0.9.7-0.9.7a-28910U90_2cl.src.rpm

    ADDITIONAL INSTRUCTIONS
     The apt tool can be used to perform RPM packages upgrades:

     - run: apt-get update
     - after that, execute: apt-get upgrade

     Detailed instructions regarding the use of apt and upgrade examples
     can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

    - -------------------------------------------------------------------------
    All packages are signed with Conectiva's GPG key. The key and instructions
    on how to import it can be found at
    http://distro.conectiva.com.br/seguranca/chave/?idioma=en
    Instructions on how to check the signatures of the RPM packages can be
    found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

    - -------------------------------------------------------------------------
    All our advisories and generic update instructions can be viewed at
    http://distro.conectiva.com.br/atualizacoes/?idioma=en

    - -------------------------------------------------------------------------
    Copyright (c) 2004 Conectiva Inc.
    http://www.conectiva.com

    - -------------------------------------------------------------------------
    subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
    unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFAayEU42jd0JmAcZARAs6OAJ4vuumdJWJFypgaplbaXWSyiXVKMQCg44Bz
    DT+Jr6ga5BKDkX2dxB6kc0I=
    =ZzSr
    -----END PGP SIGNATURE-----


  • Next message: Conectiva Updates: "[CLA-2004:835] Conectiva Security Announcement - ethereal"

    Relevant Pages

    • [CLA-2003:701] Conectiva Security Announcement - kernel
      ... Vulnerabilities and bugfixes for the kernel ... This update for Conectiva Linux 9 addresses several issues which are ... Al Viro found a vulnerability in the TTY layer where a local attacker ... The kernel packages have been fixed to allow the correct compilation ...
      (Bugtraq)
    • [CLA-2001:418] Conectiva Linux Security Announcement - openssl
      ... Subject: Conectiva Linux Security Announcement - openssl ... Several vulnerabilities have been addressed in newer versions of this ... updated packages for Conectiva Linux 4.0 and 4.0es are not ...
      (Bugtraq)
    • [CLA-2003:614] REVISED: Conectiva Security Announcement - sendmail
      ... CONECTIVA LINUX SECURITY ANNOUNCEMENT ... SUMMARY: Buffer overflow vulnerability ... which the packages provided via this announcement ... Detailed instructions reagarding the use of apt and upgrade examples ...
      (Bugtraq)
    • MDKSA-2002:046 - openssl update
      ... OpenSSL code that are all potentially remotely exploitable. ... a vulnerability was found by Adi Stav and James Yonan ... upgrade to these OpenSSL packages. ... Mandrake Linux 8.0/ppc: ...
      (Bugtraq)
    • [CLA-2003:717] Conectiva Security Announcement - postfix
      ... Remote denial of service vulnerability ... This update for Conectiva Linux 7.0 and 8 fixes two vulnerabilities ... in Postfix reportedby Michal Zalewski: ... All postfix users should upgrade their packages. ...
      (Bugtraq)